CVE-2022-36062
Grafana folders admin only permission privilege escalationGrafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.
We have discovered 106 live websites that are affected by CVE-2022-36062.
Common Weakness Enumeration
CWE-281 Improper Preservation of PermissionsDetails
- Published - Sep 22, 2022
- Updated - Apr 23, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2022-36062 United States | 36 websites |
 Germany | 25 websites |
 France | 7 websites |
 Russia | 6 websites |
 Netherlands | 4 websites |
 Australia | 2 websites |
 Switzerland | 2 websites |
 Italy | 2 websites |
 Poland | 2 websites |
Website Distribution by TLD
Number of websites using CVE-2022-36062| .com | 20 websites |
| .org | 15 websites |
| .de | 10 websites |
| .eu | 7 websites |
| .ru | 6 websites |
| .ch | 4 websites |
| .net | 3 websites |
| .pl | 2 websites |
| .it | 2 websites |
| .info | 2 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2022-36062
Top websites that are affected by CVE-2022-36062. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ************.com | United States | ***,*** | |
| ****.********.org | United States | *,***,*** | |
| *******.*******.edu | United States | *,***,*** | |
| ********************.com | United States | *,***,*** | |
| *****.com | United States | *,***,*** | |
| *****.********.org | Germany | *,***,*** | |
| ***.******.org | Italy | *,***,*** | |
| *******.*********.audio | Germany | **,***,*** | |
| *********.*******.eu | United States | **,***,*** | |
| ********.fr | France | **,***,*** |
FAQ
CVE-2022-36062 is Improper Preservation of Permissions in Grafana
A total of 106 websites have been identified as vulnerable to CVE-2022-36062, based on global website indexing conducted by WebTechSurvey.
The Grafana is affected by the CVE-2022-36062 vulnerability.
Grafana versions up to 9.1.6 are vulnerable to CVE-2022-36062.
CVE-2022-36062 is resolved in version 9.1.6 of Grafana.